CWE-617
AllowedReachable Assertion
Abstraction: Base · Status: Draft
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
989 vulnerabilities reference this CWE, most recent first.
GHSA-M6CV-4FMF-66XF
Vulnerability from github – Published: 2022-09-16 21:14 – Updated: 2022-09-19 19:50Impact
If RaggedTensorToVariant is given a rt_nested_splits list that contains tensors of ranks other than one, it results in a CHECK fail that can be used to trigger a denial of service attack.
import tensorflow as tf
batched_input = True
rt_nested_splits = tf.constant([0,32,64], shape=[3], dtype=tf.int64)
rt_dense_values = tf.constant([0,32,64], shape=[3], dtype=tf.int64)
tf.raw_ops.RaggedTensorToVariant(rt_nested_splits=rt_nested_splits, rt_dense_values=rt_dense_values, batched_input=batched_input)
Patches
We have patched the issue in GitHub commit 88f93dfe691563baa4ae1e80ccde2d5c7a143821.
The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36018"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T21:14:10Z",
"nvd_published_at": "2022-09-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf `RaggedTensorToVariant` is given a `rt_nested_splits` list that contains tensors of ranks other than one, it results in a `CHECK` fail that can be used to trigger a denial of service attack.\n```python\nimport tensorflow as tf\n\nbatched_input = True\nrt_nested_splits = tf.constant([0,32,64], shape=[3], dtype=tf.int64)\nrt_dense_values = tf.constant([0,32,64], shape=[3], dtype=tf.int64)\ntf.raw_ops.RaggedTensorToVariant(rt_nested_splits=rt_nested_splits, rt_dense_values=rt_dense_values, batched_input=batched_input)\n```\n\n### Patches\nWe have patched the issue in GitHub commit [88f93dfe691563baa4ae1e80ccde2d5c7a143821](https://github.com/tensorflow/tensorflow/commit/88f93dfe691563baa4ae1e80ccde2d5c7a143821).\n\nThe fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.\n",
"id": "GHSA-m6cv-4fmf-66xf",
"modified": "2022-09-19T19:50:41Z",
"published": "2022-09-16T21:14:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6cv-4fmf-66xf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36018"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/88f93dfe691563baa4ae1e80ccde2d5c7a143821"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "TensorFlow vulnerable to `CHECK` fail in `RaggedTensorToVariant`"
}
GHSA-M6J8-2W79-QRGP
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-03-03 03:30DSM in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs.
{
"affected": [],
"aliases": [
"CVE-2019-14382"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-30T19:15:00Z",
"severity": "MODERATE"
},
"details": "DSM in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs.",
"id": "GHSA-m6j8-2w79-qrgp",
"modified": "2023-03-03T03:30:23Z",
"published": "2022-05-24T16:51:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14382"
},
{
"type": "WEB",
"url": "https://lib.openmpt.org/libopenmpt/2019/01/22/security-updates-0.4.2-0.3.15-0.2.11253-beta37-0.2.7561-beta20.5-p13-0.2.7386-beta20.3-p16"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00084.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00085.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M6VP-8Q9J-WHX4
Vulnerability from github – Published: 2022-09-16 22:31 – Updated: 2022-09-19 19:40Impact
If Save or SaveSlices is run over tensors of an unsupported dtype, it results in a CHECK fail that can be used to trigger a denial of service attack.
import tensorflow as tf
filename = tf.constant("")
tensor_names = tf.constant("")
# Save
data = tf.cast(tf.random.uniform(shape=[1], minval=-10000, maxval=10000, dtype=tf.int64, seed=-2021), tf.uint64)
tf.raw_ops.Save(filename=filename, tensor_names=tensor_names, data=data, )
# SaveSlices
shapes_and_slices = tf.constant("")
data = tf.cast(tf.random.uniform(shape=[1], minval=-10000, maxval=10000, dtype=tf.int64, seed=9712), tf.uint32)
tf.raw_ops.SaveSlices(filename=filename, tensor_names=tensor_names, shapes_and_slices=shapes_and_slices, data=data, )
Patches
We have patched the issue in GitHub commit 5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4.
The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Di Jin, Secure Systems Labs, Brown University
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35983"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T22:31:14Z",
"nvd_published_at": "2022-09-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf `Save` or `SaveSlices` is run over tensors of an unsupported `dtype`, it results in a `CHECK` fail that can be used to trigger a denial of service attack.\n```python\nimport tensorflow as tf\nfilename = tf.constant(\"\")\ntensor_names = tf.constant(\"\")\n# Save\ndata = tf.cast(tf.random.uniform(shape=[1], minval=-10000, maxval=10000, dtype=tf.int64, seed=-2021), tf.uint64)\ntf.raw_ops.Save(filename=filename, tensor_names=tensor_names, data=data, )\n# SaveSlices\nshapes_and_slices = tf.constant(\"\")\ndata = tf.cast(tf.random.uniform(shape=[1], minval=-10000, maxval=10000, dtype=tf.int64, seed=9712), tf.uint32)\ntf.raw_ops.SaveSlices(filename=filename, tensor_names=tensor_names, shapes_and_slices=shapes_and_slices, data=data, )\n```\n\n### Patches\nWe have patched the issue in GitHub commit [5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4](https://github.com/tensorflow/tensorflow/commit/5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4).\n\nThe fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by Di Jin, Secure Systems Labs, Brown University\n",
"id": "GHSA-m6vp-8q9j-whx4",
"modified": "2022-09-19T19:40:44Z",
"published": "2022-09-16T22:31:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6vp-8q9j-whx4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35983"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "TensorFlow vulnerable to `CHECK` fail in `Save` and `SaveSlices`"
}
GHSA-M8CH-V4G3-CQ3G
Vulnerability from github – Published: 2023-11-27 12:30 – Updated: 2024-04-30 15:30A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2023-5871"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-617",
"CWE-671"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-27T12:15:07Z",
"severity": "MODERATE"
},
"details": "A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service.",
"id": "GHSA-m8ch-v4g3-cq3g",
"modified": "2024-04-30T15:30:35Z",
"published": "2023-11-27T12:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5871"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2204"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-5871"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247308"
},
{
"type": "WEB",
"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MC5C-3HV5-5HJW
Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00Assertion fail in the display_debug_names() function in binutils/dwarf.c may lead to program crash and denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-38126"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-01T21:15:00Z",
"severity": "MODERATE"
},
"details": "Assertion fail in the display_debug_names() function in binutils/dwarf.c may lead to program crash and denial of service.",
"id": "GHSA-mc5c-3hv5-5hjw",
"modified": "2022-09-08T00:00:32Z",
"published": "2022-09-02T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38126"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29289"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MCG5-WX5M-R344
Vulnerability from github – Published: 2025-07-29 15:31 – Updated: 2025-07-30 15:35An issue in FlashMQ v1.14.0 allows attackers to cause an assertion failure via sending a crafted retain message, leading to a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2024-42645"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-29T14:15:34Z",
"severity": "HIGH"
},
"details": "An issue in FlashMQ v1.14.0 allows attackers to cause an assertion failure via sending a crafted retain message, leading to a Denial of Service (DoS).",
"id": "GHSA-mcg5-wx5m-r344",
"modified": "2025-07-30T15:35:51Z",
"published": "2025-07-29T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42645"
},
{
"type": "WEB",
"url": "https://github.com/halfgaar/FlashMQ"
},
{
"type": "WEB",
"url": "https://github.com/songxpu/bug_report/blob/master/MQTT/FlashMQ/CVE-2024-42645.md"
},
{
"type": "WEB",
"url": "https://www.flashmq.org/2024/06/17/flashmq-1-15-1-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MF84-JXH2-RC4J
Vulnerability from github – Published: 2025-01-22 15:32 – Updated: 2025-01-23 18:31A reachable assertion in the mme_ue_find_by_imsi function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.
{
"affected": [],
"aliases": [
"CVE-2024-24430"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-22T15:15:12Z",
"severity": "HIGH"
},
"details": "A reachable assertion in the mme_ue_find_by_imsi function of Open5GS \u003c= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.",
"id": "GHSA-mf84-jxh2-rc4j",
"modified": "2025-01-23T18:31:18Z",
"published": "2025-01-22T15:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24430"
},
{
"type": "WEB",
"url": "https://cellularsecurity.org/ransacked"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MFF3-M38V-MGV6
Vulnerability from github – Published: 2025-08-21 15:30 – Updated: 2025-08-21 15:30A vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file cmForEachCommand.cxx. This manipulation causes reachable assertion. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Patch name: 37e27f71bc356d880c908040cd0cb68fa2c371b8. It is suggested to install a patch to address this issue.
{
"affected": [],
"aliases": [
"CVE-2025-9301"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-21T14:15:44Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file cmForEachCommand.cxx. This manipulation causes reachable assertion. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Patch name: 37e27f71bc356d880c908040cd0cb68fa2c371b8. It is suggested to install a patch to address this issue.",
"id": "GHSA-mff3-m38v-mgv6",
"modified": "2025-08-21T15:30:35Z",
"published": "2025-08-21T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9301"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1TerUqQB8_lzJTwIBCBmE94zn7n-gOz4f/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://gitlab.kitware.com/cmake/cmake/-/commit/37e27f71bc356d880c908040cd0cb68fa2c371b8"
},
{
"type": "WEB",
"url": "https://gitlab.kitware.com/cmake/cmake/-/issues/27135"
},
{
"type": "WEB",
"url": "https://gitlab.kitware.com/cmake/cmake/-/issues/27135#note_1691629"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.320906"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.320906"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.632369"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MFJ5-8WWQ-98RR
Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-07-08 06:31In the Linux kernel, the following vulnerability has been resolved:
net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind
syzbot reported a kernel BUG triggered from pn_socket_sendmsg() via pn_socket_autobind():
kernel BUG at net/phonet/socket.c:213! RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline] RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421 Call Trace: sock_sendmsg_nosec+0x112/0x150 net/socket.c:797 __sock_sendmsg net/socket.c:812 [inline] __sys_sendto+0x402/0x590 net/socket.c:2280 ...
pn_socket_autobind() calls pn_socket_bind() with port 0 and, on -EINVAL, assumes the socket was already bound and asserts that the port is non-zero:
err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn)); if (err != -EINVAL) return err; BUG_ON(!pn_port(pn_sk(sock->sk)->sobject)); return 0; / socket was already bound /
However pn_socket_bind() also returns -EINVAL when sk->sk_state is not TCP_CLOSE, even when the socket has never been bound and pn_port() is still 0. In that case the BUG_ON() fires and panics the kernel from a user-triggerable path.
Treat the "bind returned -EINVAL but pn_port() is still 0" case as a regular error and propagate -EINVAL to the caller instead of crashing. Existing callers already translate a non-zero return from pn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here only changes behaviour from panic to a normal errno.
{
"affected": [],
"aliases": [
"CVE-2026-53292"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T20:17:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind\n\nsyzbot reported a kernel BUG triggered from pn_socket_sendmsg() via\npn_socket_autobind():\n\n kernel BUG at net/phonet/socket.c:213!\n RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline]\n RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421\n Call Trace:\n sock_sendmsg_nosec+0x112/0x150 net/socket.c:797\n __sock_sendmsg net/socket.c:812 [inline]\n __sys_sendto+0x402/0x590 net/socket.c:2280\n ...\n\npn_socket_autobind() calls pn_socket_bind() with port 0 and, on\n-EINVAL, assumes the socket was already bound and asserts that the\nport is non-zero:\n\n err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn));\n if (err != -EINVAL)\n return err;\n BUG_ON(!pn_port(pn_sk(sock-\u003esk)-\u003esobject));\n return 0; /* socket was already bound */\n\nHowever pn_socket_bind() also returns -EINVAL when sk-\u003esk_state is not\nTCP_CLOSE, even when the socket has never been bound and pn_port() is\nstill 0. In that case the BUG_ON() fires and panics the kernel from a\nuser-triggerable path.\n\nTreat the \"bind returned -EINVAL but pn_port() is still 0\" case as a\nregular error and propagate -EINVAL to the caller instead of crashing.\nExisting callers already translate a non-zero return from\npn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here\nonly changes behaviour from panic to a normal errno.",
"id": "GHSA-mfj5-8wwq-98rr",
"modified": "2026-07-08T06:31:35Z",
"published": "2026-06-26T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53292"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b0c911bcdbd982f7748d11c0b39ec5808eae2de"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6db58ee730bf434d1afca91b91826e26688856ed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MG8V-G9MC-P4F8
Vulnerability from github – Published: 2023-11-02 15:30 – Updated: 2025-11-04 00:30A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.
{
"affected": [],
"aliases": [
"CVE-2023-38470"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-02T15:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.",
"id": "GHSA-mg8v-g9mc-p4f8",
"modified": "2025-11-04T00:30:40Z",
"published": "2023-11-02T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38470"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-38470"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191690"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00011.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
Mitigation
Strategy: Input Validation
Perform input validation on user data.
No CAPEC attack patterns related to this CWE.